Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29/05/2023, 09:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b3cf889e354dbfbdf735f6068642cac7c25aa2de9ac16a387191870c5d526f8.exe

  • Size

    4.2MB

  • MD5

    8d0b8f43b2ffb6522410fe96919c815a

  • SHA1

    3958cccac8d92ad681d75a39a72227447f59cb0e

  • SHA256

    8b3cf889e354dbfbdf735f6068642cac7c25aa2de9ac16a387191870c5d526f8

  • SHA512

    75df7c645e92f7820439e0f1597603488c0cc61759cb45a5436adf8451759466752737d13bf4e9dc5e50afaa04d1e5a9e0c23711e960763b6df7ef70a440495f

  • SSDEEP

    98304:n2FCBFlwInBnvoxMm3AMa/Fuiv5xCkjo1bUaPD+:osTxn1oCMqCkjo1IaPC

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojan

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 16 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b3cf889e354dbfbdf735f6068642cac7c25aa2de9ac16a387191870c5d526f8.exe
    "C:\Users\Admin\AppData\Local\Temp\8b3cf889e354dbfbdf735f6068642cac7c25aa2de9ac16a387191870c5d526f8.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:348
    • C:\Users\Admin\AppData\Local\Temp\8b3cf889e354dbfbdf735f6068642cac7c25aa2de9ac16a387191870c5d526f8.exe
      "C:\Users\Admin\AppData\Local\Temp\8b3cf889e354dbfbdf735f6068642cac7c25aa2de9ac16a387191870c5d526f8.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2248
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4920
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:5108
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3880
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2788
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3088
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2588
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:3228
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3464
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5100
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4928
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2792
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4020

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rx1nnsaw.xr5.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      cea505293b2e23a658c7d6faf1e794d2

      SHA1

      8fff07ef790f5a83c22392187e40c61f455dc724

      SHA256

      877aefeec8560d7d6e49ce958d4068015570829e0c5d8041518edd78aa77fb26

      SHA512

      e6f4608dfd30ab8aa7335665331115060a628ea78fc207b82829af9efb5b0c5723b449256559ce73f213a913074e71301391f303b1f107177b01052e64d20bec

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      5dc1608c80132f39c3d4797694a6f841

      SHA1

      102c2bbfd474cab49adee9a8f136b523d55dedd8

      SHA256

      36f1750e0b12dc70e8b555235d6b0075c9ece9183147497c05a5b0d93fa4764a

      SHA512

      146774ed17bc5369e0548af0c4e1dd843c3817fe229789e62cdedbe3ac9f35d0d59a00f6fa4134e77b895babad8b5b039b19a746a225f27437efb58337c842f1

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      6d4fcd4b2e794bdfaf707d1dd9852dcf

      SHA1

      37b30e27784843e7f17b1e762c80d6c140d309cf

      SHA256

      74b0d65c63f6b7b817672bb033c577223a5fe2f663813b3be99ee62fa028f6fb

      SHA512

      67450c74ac911eac610524f4d639cdb99aaee0606160b772bb253ce468ce258847a7d1a09ffefd50865e0d66ea26425e7e18b67ad757c3e533493c2b53da3990

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      93922980fda83e333dda579024f5b9a9

      SHA1

      1b314c97fbbbb9c596d4eaf97c9e5076dc9482a8

      SHA256

      890570d2df811d7365611866ed0bcf3ccb55ef0472a3ac1a3fce03ce9523403d

      SHA512

      0de56822852b1708ac77bb0701620a9a05474ad5def9a1cc3543c30106a1dce103c86efd286f49aefd21671532f0a27de09b38028a8c38ef669c27239a517dac

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      f4d95ccbbbc2f0f39006414116a7c508

      SHA1

      01559b04bfce5c61632bd52b9f263ae20c050c1b

      SHA256

      3a6877acb1348d3bfc912cccc15a22b697fe977c8d842b5951304806bc942f71

      SHA512

      37937227590843aab7362a640bac33e3cbd9877b5bf43366913905378d0493067c16c6dbe7d268f4e8f83b0252cc2d69d55094380f5f067f1b06c9b7b089fea0

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      8d0b8f43b2ffb6522410fe96919c815a

      SHA1

      3958cccac8d92ad681d75a39a72227447f59cb0e

      SHA256

      8b3cf889e354dbfbdf735f6068642cac7c25aa2de9ac16a387191870c5d526f8

      SHA512

      75df7c645e92f7820439e0f1597603488c0cc61759cb45a5436adf8451759466752737d13bf4e9dc5e50afaa04d1e5a9e0c23711e960763b6df7ef70a440495f

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      8d0b8f43b2ffb6522410fe96919c815a

      SHA1

      3958cccac8d92ad681d75a39a72227447f59cb0e

      SHA256

      8b3cf889e354dbfbdf735f6068642cac7c25aa2de9ac16a387191870c5d526f8

      SHA512

      75df7c645e92f7820439e0f1597603488c0cc61759cb45a5436adf8451759466752737d13bf4e9dc5e50afaa04d1e5a9e0c23711e960763b6df7ef70a440495f

      Download Submit

    • memory/348-151-0x0000000008A30000-0x0000000008A6C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/348-397-0x0000000006860000-0x0000000006868000-memory.dmp

      Filesize

      32KB

      Download

    • memory/348-182-0x0000000008AF0000-0x0000000008B66000-memory.dmp

      Filesize

      472KB

      Download

    • memory/348-189-0x0000000009910000-0x0000000009943000-memory.dmp

      Filesize

      204KB

      Download

    • memory/348-190-0x00000000098F0000-0x000000000990E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/348-195-0x000000007E7D0000-0x000000007E7E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/348-196-0x0000000009950000-0x00000000099F5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/348-197-0x0000000009B50000-0x0000000009BE4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/348-266-0x0000000000960000-0x0000000000970000-memory.dmp

      Filesize

      64KB

      Download

    • memory/348-132-0x0000000007660000-0x00000000076AB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/348-392-0x0000000006870000-0x000000000688A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/348-130-0x00000000076C0000-0x0000000007A10000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/348-415-0x0000000000960000-0x0000000000970000-memory.dmp

      Filesize

      64KB

      Download

    • memory/348-414-0x0000000000960000-0x0000000000970000-memory.dmp

      Filesize

      64KB

      Download

    • memory/348-131-0x0000000007620000-0x000000000763C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/348-123-0x00000000009B0000-0x00000000009E6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/348-124-0x0000000006D70000-0x0000000007398000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/348-125-0x0000000000960000-0x0000000000970000-memory.dmp

      Filesize

      64KB

      Download

    • memory/348-126-0x0000000000960000-0x0000000000970000-memory.dmp

      Filesize

      64KB

      Download

    • memory/348-127-0x0000000006AF0000-0x0000000006B12000-memory.dmp

      Filesize

      136KB

      Download

    • memory/348-128-0x0000000006C90000-0x0000000006CF6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/348-129-0x0000000006D00000-0x0000000006D66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2248-447-0x00000000096B0000-0x0000000009755000-memory.dmp

      Filesize

      660KB

      Download

    • memory/2248-423-0x0000000006E00000-0x0000000006E10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2248-516-0x000000007EB60000-0x000000007EB70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2248-421-0x0000000007B80000-0x0000000007ED0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2248-422-0x0000000006E00000-0x0000000006E10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2248-517-0x0000000006E00000-0x0000000006E10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2248-424-0x00000000081A0000-0x00000000081EB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2536-687-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2536-1150-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2588-1185-0x000000007F300000-0x000000007F310000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2588-1182-0x0000000009870000-0x0000000009915000-memory.dmp

      Filesize

      660KB

      Download

    • memory/2588-1159-0x0000000008840000-0x000000000888B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2588-1186-0x0000000005000000-0x0000000005010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2588-1155-0x0000000005000000-0x0000000005010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2588-1157-0x0000000005000000-0x0000000005010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2588-1156-0x0000000007FC0000-0x0000000008310000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2788-921-0x0000000006B40000-0x0000000006B50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2788-944-0x0000000006B40000-0x0000000006B50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2788-922-0x0000000006B40000-0x0000000006B50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2788-942-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2876-417-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2876-120-0x0000000002FE0000-0x00000000038CB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/2876-267-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3088-1890-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3088-1892-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3088-1895-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3088-1883-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3088-1894-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3088-1893-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3088-1429-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3088-1896-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3088-1891-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3088-1897-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3088-1889-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3880-667-0x00000000070F0000-0x0000000007100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3880-688-0x000000007E850000-0x000000007E860000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3880-717-0x00000000070F0000-0x0000000007100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3880-669-0x00000000070F0000-0x0000000007100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4928-1645-0x0000000000A20000-0x0000000000A30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4928-1718-0x0000000000A20000-0x0000000000A30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4928-1717-0x000000007E170000-0x000000007E180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4928-1644-0x0000000000A20000-0x0000000000A30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5100-1432-0x00000000070B0000-0x00000000070C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5100-1430-0x000000007E430000-0x000000007E440000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5100-1426-0x0000000009A40000-0x0000000009AE5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/5100-1403-0x0000000008A40000-0x0000000008A8B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5100-1401-0x0000000007FF0000-0x0000000008340000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5100-1400-0x00000000070B0000-0x00000000070C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5100-1399-0x00000000070B0000-0x00000000070C0000-memory.dmp

      Filesize

      64KB

      Download